how to query changes in Active Directory including deleted objects?
I am using below code to query changes to users/OUs in AD. But it doesn't retrive any deleted objects, Any idea how to include deleted objects in this ?
static void Main(string[] args)
{
BinaryFormatter bFormat = new BinaryFormatter();
byte[] cookie = null;
string strFileName = "cookie.bin";
if (File.Exists(strFileName))
{
using (FileStream fsStream = new FileStream(strFileName, FileMode.OpenOrCreate))
{
cookie = (byte[])bFormat.Deserialize(fsStream);
}
}
string str_dcName = "xxxxx";
System.DirectoryServices.DirectoryEntry rootDSE = new System.DirectoryServices.DirectoryEntry("LDAP://rootDSE");
System.Net.NetworkCredential cr = new System.Net.NetworkCredential(@"xxx", "xxx", "xxx");
LdapConnection connection = new LdapConnection(str_dcName);
connection.Credential = cr;
connection.Bind();
string[] attribs = new string[3];
attribs[0] = "name";
attribs[1] = "description";
attribs[2] = "objectGUID";
SearchRequest request = new SearchRequest("DC=xxx,DC=xxx,DC=com", "(objectClass=*)", SearchScope.Subtree, attribs);
DirSyncRequestControl dirSyncRC = new DirSyncRequestControl(cookie, Di开发者_开发问答rectorySynchronizationOptions.IncrementalValues, Int32.MaxValue);
request.Controls.Add(dirSyncRC);
bool bMoreData = true;
SearchResponse searchResponse = (SearchResponse)connection.SendRequest(request);
while (bMoreData) //Initial Search handler - since we're unable to combine with paged search
{
foreach (SearchResultEntry entry in searchResponse.Entries)
{
System.Collections.IDictionaryEnumerator attribEnum = entry.Attributes.GetEnumerator();
while (attribEnum.MoveNext())//Iterate through the result attributes
{
//Attributes have one or more values so we iterate through all the values
//for each attribute
DirectoryAttribute subAttrib = (DirectoryAttribute)attribEnum.Value;
for (int ic = 0; ic < subAttrib.Count; ic++) {
//Attribute Name below
Console.WriteLine(attribEnum.Key.ToString());
//Attribute Sub Value below
Console.WriteLine(subAttrib[ic].ToString());
}
}
}
//Get the cookie from the response to use it in next searches
foreach (DirectoryControl control in searchResponse.Controls)
{
if (control is DirSyncResponseControl)
{
DirSyncResponseControl dsrc = control as DirSyncResponseControl;
cookie = dsrc.Cookie;
bMoreData = dsrc.MoreData;
break;
}
}
dirSyncRC.Cookie = cookie;
searchResponse = (SearchResponse)connection.SendRequest(request);
}
//Serialize the cookie into a file to use in next searches
using (FileStream fsStream = new FileStream(strFileName, FileMode.Create))
{
//Serialize the data to the steam. To get the data for
//the cookie, call the GetDirectorySynchronizationCookie method.
bFormat.Serialize(fsStream, cookie);
}
Console.WriteLine("Finished search...");
Console.ReadKey();
}
solution is need to add isDeleted=TRUE to request object
SearchRequest request = new SearchRequest("DC=xx,DC=xxx,DC=com",
"(|(objectClass=organizationalUnit)(isDeleted=TRUE)(objectCategory=Person))",
SearchScope.Subtree, attribs);
As for as my experience with SearchRequest the filter will not work at any cost, it has its own issue.. and to your case to get Deleted Objects changes you should use Domain Admin privileged account or something like that..
Here, you need to you give the privileged account who has complete rights over Deleted Objects container.
System.Net.NetworkCredential cr = new System.Net.NetworkCredential(@"administrator", "xxx", "xxx");
LdapConnection connection = new LdapConnection(str_dcName);
加载中,请稍侯......
精彩评论